Avoid loading optional modules from default . (CVE-2016-1238)

2016-08-02 17:33:52 +02:00
8 changed files with 47 additions and 278 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
-1
--- a/IO-Compress-2.069-CVE-2016-1238-avoid-loading-optional-modules-from.patch
+++ b/IO-Compress-2.069-CVE-2016-1238-avoid-loading-optional-modules-from.patch
@ -0,0 +1,23 @@
+diff -ru IO-Compress-2.069-orig/bin/zipdetails IO-Compress-2.069/bin/zipdetails
+--- IO-Compress-2.069-orig/bin/zipdetails	2014-01-31 07:52:56.000000000 +1100
+++ IO-Compress-2.069/bin/zipdetails	2016-07-28 10:10:17.812926303 +1000
+@@ -5,6 +5,7 @@
+ # Display info on the contents of a Zip file
+ #
+ 
+BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings ;
+ 
+diff -ru IO-Compress-2.069-orig/lib/IO/Uncompress/AnyUncompress.pm IO-Compress-2.069/lib/IO/Uncompress/AnyUncompress.pm
+--- IO-Compress-2.069-orig/lib/IO/Uncompress/AnyUncompress.pm	2015-09-27 04:34:31.000000000 +1000
+++ IO-Compress-2.069/lib/IO/Uncompress/AnyUncompress.pm	2016-07-28 10:08:45.064332089 +1000
+@@ -27,6 +27,8 @@
+ 
+ BEGIN
+ {
+   local @INC = @INC;
+   pop @INC if $INC[-1] eq '.';
+    eval ' use IO::Uncompress::Adapter::Inflate 2.069 ;';
+    eval ' use IO::Uncompress::Adapter::Bunzip2 2.069 ;';
+    eval ' use IO::Uncompress::Adapter::LZO 2.069 ;';
--- a/gating.yaml
+++ b/gating.yaml
@ -1,7 +0,0 @@
--- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
--- a/perl-IO-Compress.rpmlintrc
+++ b/perl-IO-Compress.rpmlintrc
@ -1,3 +0,0 @@
-from Config import *
-addFilter("spelling-error %description -l en_US zlib -> ")
-addFilter("spelling-error %description -l en_US gzip -> ")
--- a/perl-IO-Compress.spec
+++ b/perl-IO-Compress.spec
@ -1,40 +1,32 @@
-# Run time expensive tests
 %bcond_without long_tests
-# Run optional test
-%if ! (0%{?rhel})
-%bcond_without perl_IO_Compress_enables_optional_test
-%else
-%bcond_with perl_IO_Compress_enables_optional_test
-%endif
-
-# Dependency version if different to this package version
-#global depver 2.201
-
 %{?perl_default_filter}

 Name:           perl-IO-Compress
-Version:        2.201
-Release:        3%{?dist}
+Version:        2.069
+Release:        367%{?dist}
 Summary:        Read and write compressed data
 License:        GPL+ or Artistic
-URL:            https://metacpan.org/release/IO-Compress
-Source0:        https://cpan.metacpan.org/modules/by-module/IO/IO-Compress-%{version}.tar.gz
+Group:          Development/Libraries
+URL:            http://search.cpan.org/dist/IO-Compress/
+Source0:        http://search.cpan.org/CPAN/authors/id/P/PM/PMQS/IO-Compress-%{version}.tar.gz
+# Avoid loading optional modules from default . (CVE-2016-1238)
+Patch0:         IO-Compress-2.069-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 BuildArch:      noarch
 # Module Build
 BuildRequires:  coreutils
 BuildRequires:  findutils
 BuildRequires:  make
+BuildRequires:  perl
 BuildRequires:  perl-generators
-BuildRequires:  perl-interpreter
-BuildRequires:  perl(Config)
-BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.76
+BuildRequires:  perl(ExtUtils::MakeMaker) >= 5.16
 BuildRequires:  perl(File::Copy)
 BuildRequires:  perl(File::Spec::Functions)
 # Module Runtime
 BuildRequires:  perl(bytes)
 BuildRequires:  perl(Carp)
-BuildRequires:  perl(Compress::Raw::Bzip2) >= %{?depver}%{!?depver:%{version}}
-BuildRequires:  perl(Compress::Raw::Zlib) >= %{?depver}%{!?depver:%{version}}
+BuildRequires:  perl(Compress::Raw::Bzip2) >= %{version}
+BuildRequires:  perl(Compress::Raw::Zlib) >= %{version}
+BuildRequires:  perl(Config)
 BuildRequires:  perl(constant)
 BuildRequires:  perl(Encode)
 BuildRequires:  perl(Exporter)
@ -44,30 +36,23 @@ BuildRequires:  perl(File::Spec)
 BuildRequires:  perl(IO::File)
 BuildRequires:  perl(IO::Handle)
 BuildRequires:  perl(List::Util)
+BuildRequires:  perl(POSIX)
 BuildRequires:  perl(Scalar::Util)
 BuildRequires:  perl(strict)
 BuildRequires:  perl(Symbol)
-BuildRequires:  perl(Time::Local)
 BuildRequires:  perl(utf8)
 BuildRequires:  perl(warnings)
 # Test Suite
 BuildRequires:  perl(File::Path)
-BuildRequires:  perl(lib)
-BuildRequires:  perl(threads::shared)
-%if !%{defined perl_bootstrap}
-BuildRequires:  perl(Test::More)
-%endif
-%if %{with perl_IO_Compress_enables_optional_test}
-# Optional Tests
-BuildRequires:  perl(bytes)
-BuildRequires:  perl(Data::Dumper)
 BuildRequires:  perl(File::Temp)
+BuildRequires:  perl(lib)
 BuildRequires:  perl(overload)
 # Dual-lived module needs building early in the boot process
 %if !%{defined perl_bootstrap}
 BuildRequires:  perl(Test::NoWarnings)
+BuildRequires:  perl(Test::Pod) >= 1.00
 %endif
-%endif
+BuildRequires:  perl(threads::shared)
 # Runtime
 Requires:       perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
 Requires:       perl(File::Glob)
@ -82,16 +67,6 @@ Provides:       perl-IO-Compress-Bzip2 = %{version}-%{release}
 Obsoletes:      perl-IO-Compress-Zlib < %{version}-%{release}
 Provides:       perl-IO-Compress-Zlib = %{version}-%{release}

-# Filter modules bundled for tests
-%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}perl\\(CompTestUtils\\)
-%global __requires_exclude %{__requires_exclude}|^perl\\(.*\.pl)\s*$
-%if %{defined perl_bootstrap}
-%global __requires_exclude %{__requires_exclude}|^perl\\(Test::Builder)\s*$
-%global __requires_exclude %{__requires_exclude}|^perl\\(Test::More)\s*$
-%global __requires_exclude %{__requires_exclude}|^perl\\(Test::Simple)\s*$
-%endif
-%global __provides_exclude_from %{?__provides_exclude_from:%__provides_exclude_from|}^%{_libexecdir}
-
 %description
 This distribution provides a Perl interface to allow reading and writing of
 compressed data created with the zlib and bzip2 libraries.
@ -106,81 +81,34 @@ included with the IO-Compress distribution:
 * IO-Compress-Bzip2
 * IO-Compress-Base

-%package tests
-Summary:        Tests for %{name}
-Requires:       %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
-Requires:       perl-Test-Harness
-
-%description tests
-Tests from %{name}-%{version}. Execute them
-with "%{_libexecdir}/%{name}/test".
-
 %prep
 %setup -q -n IO-Compress-%{version}
+%patch0 -p1

 # Remove spurious exec permissions
 chmod -c -x lib/IO/Uncompress/{Adapter/Identity,RawInflate}.pm
 find examples -type f -exec chmod -c -x {} \;

-%if ! %{defined perl_bootstrap}
-# Remove bundled Test::* modules
-rm -rf t/Test
-perl -i -ne 'print $_ unless m{^t/Test/}' MANIFEST
-%endif
-
 # Fix shellbangs in examples
-perl -MConfig -pi -e 's|^#!/usr/local/bin/perl\b|$Config{startperl}|' examples/io/anycat \
+perl -pi -e 's|^#!/usr/local/bin/perl\b|#!%{__perl}|' examples/io/anycat \
        examples/io/bzip2/* examples/io/gzip/* examples/compress-zlib/*

-# Help file to recognise the Perl scripts and normalize shebangs
-for F in `find t -name *.t` `find t -name *.pl`; do
-    perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!.*perl\b}{$Config{startperl}}' "$F"
-    chmod +x "$F"
-done
-
 %build
-perl Makefile.PL NO_PACKLIST=1 NO_PERLLOCAL=1
-%{make_build}
+perl Makefile.PL
+make %{?_smp_mflags}

 %install
-%{make_install} INSTALLDIRS=perl
-
-# Install tests
-mkdir -p %{buildroot}/%{_libexecdir}/%{name}
-cp -a examples t %{buildroot}/%{_libexecdir}/%{name}
-# Remove release tests
-rm %{buildroot}/%{_libexecdir}/%{name}/t/999pod.t
-rm %{buildroot}/%{_libexecdir}/%{name}/t/999meta-*.t
-perl -i -pe "s{\"./bin/\"}{\"%{_bindir}\"}" %{buildroot}/%{_libexecdir}/%{name}/t/011-streamzip.t
-cat > %{buildroot}/%{_libexecdir}/%{name}/test << 'EOF'
-#!/bin/sh
-set -e
-# Lots of tests write into temporary files/directories. The easiest solution
-# is to copy the tests into a writable directory and execute them from there.
-DIR=$(mktemp -d)
-pushd "$DIR"
-cp -a %{_libexecdir}/%{name}/* ./
-unset PERL_CORE
-export TEST_SKIP_VERSION_CHECK=1
-prove -I . -j "$(getconf _NPROCESSORS_ONLN)"
-popd
-rm -rf "$DIR"
-EOF
-chmod +x %{buildroot}/%{_libexecdir}/%{name}/test
-
-%{_fixperms} -c %{buildroot}
+make pure_install DESTDIR=%{buildroot} INSTALLDIRS=perl
+find %{buildroot} -type f -name .packlist -exec rm -f {} ';'
+%{_fixperms} %{buildroot}

 %check
-unset PERL_CORE
-export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}')
-export TEST_SKIP_VERSION_CHECK=1
 # Build using "--without long_tests" to avoid very long tests
 # (full suite can take nearly an hour on an i7 920)
 make test COMPRESS_ZLIB_RUN_%{?with_long_tests:ALL}%{!?with_long_tests:MOST}=1

 %files
 %doc Changes README examples/*
-%{_bindir}/streamzip
 %{_bindir}/zipdetails
 %{perl_privlib}/Compress/
 %{perl_privlib}/File/
@ -199,175 +127,13 @@ make test COMPRESS_ZLIB_RUN_%{?with_long_tests:ALL}%{!?with_long_tests:MOST}=1
 %{perl_privlib}/IO/Compress/Zip.pm
 %{perl_privlib}/IO/Compress/Zlib/
 %{perl_privlib}/IO/Uncompress/
-%{_mandir}/man1/streamzip.1*
 %{_mandir}/man1/zipdetails.1*
 %{_mandir}/man3/Compress::Zlib.3*
 %{_mandir}/man3/File::GlobMapper.3*
 %{_mandir}/man3/IO::Compress::*.3*
 %{_mandir}/man3/IO::Uncompress::*.3*

-%files tests
-%{_libexecdir}/%{name}
-
 %changelog
-* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.201-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Thu Jul 14 2022 Jitka Plesnikova <jplesnik@redhat.com> - 2.201-2
- Disable version check in tests
-
-* Sat Jun 25 2022 Paul Howarth <paul@city-fan.org> - 2.201-1
- 2.201 bump
-
-* Fri Jun 03 2022 Jitka Plesnikova <jplesnik@redhat.com> - 2.106-489
- Perl 5.36 re-rebuild of bootstrapped packages
-
-* Mon May 30 2022 Jitka Plesnikova <jplesnik@redhat.com> - 2.106-488
- Increase release to favour standalone package
-
-* Mon Apr 25 2022 Jitka Plesnikova <jplesnik@redhat.com> - 2.103-1
- 2.106 bump
-
-* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.102-480
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.102-479
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Mon May 24 2021 Jitka Plesnikova <jplesnik@redhat.com> - 2.102-478
- Perl 5.34 re-rebuild of bootstrapped packages
-
-* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 2.102-477
- Increase release to favour standalone package
-
-* Mon Mar 01 2021 Jitka Plesnikova <jplesnik@redhat.com> - 2.102-2
- Package tests
-
-* Sun Feb 28 2021 Paul Howarth <paul@city-fan.org> - 2.102-1
- 2.102 bump
-
-* Sat Feb 20 2021 Paul Howarth <paul@city-fan.org> - 2.101-1
- 2.101 bump
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.100-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Jan  7 2021 Paul Howarth <paul@city-fan.org> - 2.100-1
- 2.100 bump
- Use %%{make_build} and %%{make_install}
-
-* Sat Aug  1 2020 Paul Howarth <paul@city-fan.org> - 2.096-1
- 2.096 bump
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.095-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 21 2020 Petr Pisar <ppisar@redhat.com> - 2.095-1
- 2.095 bump
-
-* Tue Jul 14 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.094-1
- 2.094 bump
-
-* Fri Jun 26 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.093-457
- Perl 5.32 re-rebuild of bootstrapped packages
-
-* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.093-456
- Increase release to favour standalone package
-
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.093-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Sun Dec  8 2019 Paul Howarth <paul@city-fan.org> - 2.093-1
- 2.093 bump
-
-* Thu Dec 05 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.092-1
- 2.092 bump
-
-* Sun Nov 24 2019 Paul Howarth <paul@city-fan.org> - 2.091-1
- 2.091 bump
-
-* Sun Nov 10 2019 Paul Howarth <paul@city-fan.org> - 2.090-1
- 2.090 bump
-
-* Sun Nov  3 2019 Paul Howarth <paul@city-fan.org> - 2.089-1
- 2.089 bump
-
-* Sun Nov  3 2019 Paul Howarth <paul@city-fan.org> - 2.088-1
- 2.088 bump
-
-* Mon Aug 12 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.087-1
- 2.087 bump
-
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.086-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Jun 02 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.086-3
- Perl 5.30 re-rebuild of bootstrapped packages
-
-* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.086-2
- Perl 5.30 rebuild
-
-* Mon Apr 01 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.086-1
- 2.086 bump
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.084-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Jan  7 2019 Paul Howarth <paul@city-fan.org> - 2.084-1
- 2.084 bump
-
-* Wed Jan 02 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.083-1
- 2.083 bump
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.081-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Sat Jun 30 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.081-4
- Perl 5.28 re-rebuild of bootstrapped packages
-
-* Sat Jun 30 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.081-3
- Perl 5.28 re-rebuild of bootstrapped packages
-
-* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.081-2
- Perl 5.28 rebuild
-
-* Mon Apr 09 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.081-1
- 2.081 bump
-
-* Wed Apr  4 2018 Paul Howarth <paul@city-fan.org> - 2.080-1
- 2.080 bump
-
-* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.074-397
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Mon Dec 18 2017 Petr Pisar <ppisar@redhat.com> - 2.074-396
- Rewrite shell bangs using running perl
-
-* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.074-395
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Wed Jun 07 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.074-394
- Perl 5.26 re-rebuild of bootstrapped packages
-
-* Sat Jun 03 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.074-393
- Perl 5.26 rebuild
-
-* Mon Feb 20 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.074-1
- 2.074 bump
-
-* Mon Feb 13 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.072-1
- 2.072 bump
-
-* Fri Feb 10 2017 Petr Pisar <ppisar@redhat.com> - 2.070-2
- Adjust tests to zlib-1.2.11 (bug #1420012)
-
-* Thu Dec 29 2016 Paul Howarth <paul@city-fan.org> - 2.070-1
- Update to 2.070
-  - Fix prototype errors while lazy loading File::GlobMapper (CPAN RT#117675)
-  - zipdetails: Avoid loading optional modules from default . (CPAN RT#116538,
-    CVE-2016-1238)
- Simplify find command using -delete
-
 * Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.069-367
 - Avoid loading optional modules from default . (CVE-2016-1238)

--- a/plans/sanity.fmf
+++ b/plans/sanity.fmf
@ -1,5 +0,0 @@
-summary: Sanity tests
-discover:
-    how: fmf
-execute:
-    how: tmt
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (IO-Compress-2.201.tar.gz) = fc5b69df0eedbc91da05c7ff8a62fe8d194a2daf1fc3c8c1aacd5aad0a3d76ad59fee29dcf96db4e3537d00f65f980ae34c45bce5481f1e92278e52295cbde14
+b26925161e3f01919f60344d1bbb49c4  IO-Compress-2.069.tar.gz
--- a/tests/upstream-tests.fmf
+++ b/tests/upstream-tests.fmf
@ -1,4 +0,0 @@
-summary: Upstream tests
-component: perl-IO-Compress
-require: perl-IO-Compress-tests
-test: /usr/libexec/perl-IO-Compress/test